The Music of Security Operations OrchestrationMuch like playing in a rock band, it takes practice to get everybody singing the same tune in security operations. By: Alfredo Reino
Here is a reflection on the similarities between making music, say in a rock band, and a cybersecurity operations orchestration team responding to an incident.
Although it’s been some time since I played on stage, I still jam with friends, and yes, you can grab any instrument and play chord progressions or well-known songs even if you’ve never played before as a band. But nothing compares to a competent band playing well-rehearsed songs on instruments and equipment they know well.
In the same way you can have your security operations team run around responding to an incident, using whatever tools you have at your disposal. It's a better and more satisfying performance if everyone has proper tools and knows what they are doing and understands their part in the process. Here are some tips for making that happen!
First, everyone should play in tune.
Tools should be properly set up and configured before the incident. In the same way you don’t start tuning your guitar after the song has begun, it’s a recipe for disaster if security solutions need configuring or fine-tuning during an incident.
Whether you are collecting information, enriching the ingested telemetry with threat intelligence, triaging or taking containment and response actions, know your tools.
Also, you need the minimum set of instruments to achieve the sound you want. Throwing more technology (and people) at the problem has a positive effect initially, but you hit the asymptotic wall of diminishing returns quickly. Just because you have something lying around doesn’t mean it will contribute to the sound.
Knowing your tools intimately is the key to effective security operations orchestration. Tools shouldn’t surprise you in the middle of something critical. Take care of your tools and instrumentation, or get someone to take care of them for you.
Second, learn the structure of the songs.
Incidents are rarely simple and they’re all different. But incidents tend to follow common sequences and patterns.
Threat actors are rarely innovative artists, and they will string together anything that works to suit their purposes. We have kill chains and the MITRE ATT&CK framework for a reason.
Knowing common sequences of tactics, techniques and procedures is as useful as recognizing the 12-bar blues and being able to find your place even if you don’t know the particular song.
Third, playing on time is fundamental.
Whether you have well-rehearsed manual processes or you rely on a dependable automation and orchestration platform, achieving good coordination between the people, process and technology elements is invaluable.
Good playbooks, constantly revised, allow the team to focus on what’s important, leaving the rest to muscle memory or automation.
Fourth, being able to improvise when it makes sense.
No incident is exactly like the previous one, and while tools and well-practiced processes can help deliver consistent incident response, the human brain is the best tool for detecting patterns and coming up with novel approaches to problems.
Knowing when to stick to the process, and when to try new things, is what differentiates the the true artist or SOC analyst from amateurs. In the same way a kickass guitar or keyboard solo sounds so much better when there is a solid rhythmic foundation to propel the tune forward, security operations orchestration means you aren’t stuck improvising on shaky grounds.
Lastly, incident response, like playing in a band, is about the whole team.
Each member, from the sound engineers to the roadies to the musicians, plays a part, simple or complex. It is the same for cybersecurity operations.
From the teams ensuring you get proper telemetry to the teams performing threat or vulnerability analysis, or providing threat intelligence, or executing remediation actions.
Everyone plays a part. After all, we don’t call it defense-in-concert for nothing. The threat landscape is growing in complexity, but a solid team relying on the best tools and threat intelligence and well-practiced playbooks is well prepared to outpace the adversary.
The collective goals are to prevent incidents whenever possible via solid security engineering and vulnerability management, detect incidents as early as possible to minimize impact, and deliver cost-effective remediation and response.
Like with a band, the net effect of good security operations orchestration is greater than the individual members, and it can only get better with practice.
Also practice. Practice until your fingers bleed.
There is nothing quite like a good performance by a team who know what they are doing. Practice hard and often, and you’ll soon be singing a different tune when you respond to incidents.
Learn how Taegis™ XDR can bring harmony to your environment and improve your security orchestration in this webinar.